Parsing input in to logstash

I configure snmp to get information from PDU
Run only two get to test, and output is long.

{
"iso.org.dod.internet.private.enterprises.apc.products.hardware.rPDU2.rPDU2Device.rPDU2DeviceConfigTable.rPDU2DeviceConfigEntry.rPDU2DeviceConfigLocation.1" => "Racl 240 TOP",

"@timestamp" => 2019-02-07T21:21:47.493Z,
"iso.org.dod.internet.private.enterprises.apc.products.hardware.rPDU2.rPDU2Device.rPDU2DeviceConfigTable.rPDU2DeviceConfigEntry.rPDU2DeviceConfigName.1" => "DataCenter1-P1-R240T",
"@version" => "1",
}

Ho do I parse this to remove all leading entry like "iso.org.dod.internet.private......." all the way to second last word? like rPDU2DeviceConfigName ?

Something needs to be done in filter section can't figure out which filter to use. as string will be different for each OID that I will get.

This filter

    ruby {
        code => '
            event.to_hash.each { |k, v|
                if k.start_with? "iso.org."
                    newk = k.sub(/.*\.([^\.]+\.[^\.]+)$/, "\\1")
                    event.set(newk, v)
                    event.remove(k)
                end
            }
        '
    }

will reduce those down to

    "rPDU2DeviceConfigName.1" => "DataCenter1-P1-R240T",
"rPDU2DeviceConfigLocation.1" => "Racl 240 TOP",

Badger, Man you rock. when will I buy you lunch. :slight_smile: :grinning:

Great.

while we are on this ruby topic
how do I do math on field?
rPDULoadStatusLoad = new value

ruby {
code => "event.set('rPDULoadStatusLoad', event.get('rPDULoadStatusLoad.1')/10"
}
but seems like I am doing something wrong.

I try many different combination with this set and get all gives me error.

If rPDULoadStatusLoad.1 is a string (it shows up with quotes in a rubydebug output) then you will need to .to_f it.

event.set('rPDULoadStatusLoad', event.get('rPDULoadStatusLoad.1').to_f/10

well this one just worked. LOL
ruby {
code => "event.set('rPDULoadStatusLoad',(event.get('rPDULoadStatusLoad.1')/10))"
}

I didn't understand or to understand that.
now I have new problem on same parsing.
I have some value that ends with .2 and/or .3 and/or .4

k.sub(/.*.([^.]+.[^.]+)$/, "\1") ---> how is this doing parsing?
how do I tackle that?

actually it works for any number. I didn't test it thought it will not work.
but will be good to know how?

That says anything (.*) followed by a dot, followed by one or more characters that are not dots, followed by a dot, followed by one or more characters that are not dots, followed by the end of the string. So it matches foo.1, foo.2, or even foo.bar

so
([^.]+.[^.]+)$ = one or more character that are not dot, dot, one or more char not dot till end of strings

Thanks. got it.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.